New cybersecurity obligations
The NIS2 Directive came into force in October 2024, expanding EU cybersecurity requirements to many more businesses. If you're a medium-sized company in a covered sector, you likely have new obligations—including how you handle email infrastructure.
Published January 2026 · 12 min read
What is NIS2?
The Network and Information Security Directive 2 (NIS2) is the EU's updated cybersecurity framework, replacing the original 2016 NIS Directive. It came into effect on 18 October 2024, with member states required to transpose it into national law.
The short version: NIS2 significantly expands which businesses must meet cybersecurity requirements, introduces personal accountability for management, and mandates specific incident reporting timelines.
Key changes from NIS1
- Broader scope — Many more sectors and company sizes covered
- Size-cap rule — All medium and large entities in covered sectors must comply
- Management accountability — Personal liability for leadership
- Stricter reporting — 24-hour initial notification, detailed follow-ups
- Supply chain focus — Must assess supplier cybersecurity
- Higher penalties — Up to €10 million or 2% of global turnover
Does NIS2 apply to your business?
NIS2 uses a "size-cap rule"—if you're a medium-sized or large entity in a covered sector, you're likely in scope.
Size thresholds
| Classification | Employees | Annual turnover | NIS2 status |
|---|---|---|---|
| Large enterprise | 250+ | > €50 million | In scope |
| Medium enterprise | 50-249 | €10-50 million | In scope |
| Small enterprise | < 50 | < €10 million | Generally exempt* |
*Some small businesses may still be in scope if they provide critical services (e.g., sole provider of an essential service in a region) or are in specific high-risk categories like trust service providers.
Sectors covered
NIS2 covers significantly more sectors than its predecessor:
Essential entities (highest obligations)
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial markets
- Healthcare
- Drinking water and wastewater
- Digital infrastructure
- ICT service management (B2B)
- Public administration
- Space
Important entities
- Postal and courier services
- Waste management
- Chemical manufacturing/distribution
- Food production and distribution
- Manufacturing (medical, computers, electronics, machinery, vehicles)
- Digital providers (marketplaces, search engines, social platforms)
- Research organizations
The supply chain effect
Here's where NIS2 gets interesting for smaller businesses: even if you're not directly in scope, your customers might be.
Why this matters
NIS2 requires covered entities to assess and manage cybersecurity risks in their supply chain. This means your enterprise customers may start asking for security certifications, compliance documentation, and evidence of security practices—even if you're a small vendor.
In practice: if you sell software or services to medium/large European businesses in covered sectors, expect more security questionnaires and compliance requirements.
What NIS2 requires: The four pillars
1. Risk management
Covered entities must implement "appropriate and proportionate" technical and organizational measures to manage cybersecurity risks. For email infrastructure, this includes:
- Access control — Multi-factor authentication (MFA) is essentially mandatory
- Encryption — Data must be encrypted in transit and at rest
- Network security — Firewalls, intrusion detection, segmentation
- Incident handling — Documented procedures for detecting and responding to incidents
- Business continuity — Backup and recovery procedures
- Supply chain security — Vendor risk assessment
2. Corporate accountability
This is a significant change from NIS1: management bodies are personally accountable for ensuring cybersecurity measures are implemented.
What this means in practice
- Board members and executives can face personal sanctions
- Mandatory cybersecurity training for leadership (Germany requires 4 hours within 3 years)
- Management must approve risk management measures
- Governance failures can result in temporary bans from leadership roles
3. Incident reporting
NIS2 introduces strict, multi-stage reporting requirements for "significant incidents":
| Timeline | Requirement | Content |
|---|---|---|
| 24 hours | Early warning | Initial notification that a significant incident has occurred |
| 72 hours | Incident notification | Full report detailing the breach and mitigation measures |
| 1 month | Final report | Recovery efforts, root cause, long-term improvements |
A "significant incident" is one that causes or could cause severe operational disruption, financial loss, or affects other entities.
4. Business continuity
Entities must have plans for maintaining operations during and after cybersecurity incidents:
- Backup management — Regular, tested backups with secure storage
- Disaster recovery — Documented procedures for system restoration
- Crisis management — Defined roles and communication procedures
- Testing — Regular testing of continuity plans
Email infrastructure under NIS2
Email is often a primary attack vector and a critical business system. NIS2's requirements have specific implications for how you manage email infrastructure.
Authentication requirements
NIS2 explicitly mentions "multi-factor authentication or continuous authentication solutions" as required measures. For email:
- MFA for email access — All email accounts should require MFA
- MFA for administrative access — Email system administration must use MFA
- API authentication — Email integrations should use secure authentication (API keys, OAuth)
Encryption requirements
NIS2 requires "voice, video, and text encryption" for communications. For email infrastructure:
- TLS for email transport — Mandatory encryption in transit
- Encryption at rest — Stored emails must be encrypted
- End-to-end encryption — Consider for sensitive communications
Access control
The principle of least privilege applies to email systems:
- Limit mailbox access — Only necessary personnel should access shared mailboxes
- Audit email access — Log and monitor who accesses what
- Third-party access — Carefully control what email automation tools can access
The OAuth mailbox problem
Traditional email automation (Zapier, Power Automate) requests full OAuth access to your entire mailbox. Under NIS2's least-privilege requirements, this broad access is harder to justify. Selective email processing—where automation only touches specific email streams—aligns better with NIS2's access control principles.
Supply chain considerations
Your email infrastructure vendors are part of your supply chain. Under NIS2, you should assess:
- Where is email data processed? — Jurisdiction matters for incident reporting
- What security certifications do vendors have? — SOC 2, ISO 27001, etc.
- How do vendors handle incidents? — Will they notify you within your reporting timeline?
- What access do vendors have? — Can they read your email content?
Penalties and enforcement
NIS2 significantly increases penalties compared to NIS1:
Essential entities
Up to €10 million or 2% of global annual turnover, whichever is higher
Important entities
Up to €7 million or 1.4% of global annual turnover, whichever is higher
Beyond fines, enforcement powers include:
- Regular audits and security inspections
- Binding instructions to implement specific measures
- Temporary bans on individuals holding management positions
- Public disclosure of non-compliance
Implementation timeline
NIS2 became applicable on 18 October 2024, but national transposition varies:
- October 2024 — NIS2 in effect, NIS1 repealed
- Germany — Implementation act passed November 2025, effective December 2025
- Other member states — Varying timelines; some behind schedule
If you're in a covered sector, the time to prepare is now—not when your specific country finalizes transposition.
Practical steps for email infrastructure
Immediate actions
- Enable MFA everywhere — Email accounts, admin panels, API access
- Audit current access — Who can access what email data?
- Review OAuth permissions — What third-party apps have email access?
- Document your email flow — Where does email data go? Who processes it?
Medium-term improvements
- Implement logging — Track email access and processing
- Establish incident procedures — How will you detect and report email-related incidents?
- Assess vendors — Request security documentation from email service providers
- Review encryption — Ensure TLS is enforced, consider additional encryption
Strategic considerations
- Minimize third-party access — Selective processing over full mailbox access
- Consider jurisdiction — EU-hosted email infrastructure simplifies compliance
- Plan for incidents — Your 24-hour reporting clock starts when you detect an issue
- Train leadership — Management needs to understand email security risks
How EmailConnect aligns with NIS2
We designed EmailConnect with security-first principles that support NIS2 compliance:
- No mailbox access — Selective processing only, minimal data exposure
- EU jurisdiction — All data processed in EU, simplifying incident reporting
- Encryption — TLS 1.3 in transit, AES-256 at rest
- Audit logging — Complete processing logs for compliance
- MFA available — Optional but recommended for all accounts
- Configurable retention — Control how long data is stored
Sources and further reading
- NIS2 Directive — European Commission
- NIS2 Technical Implementation Guidance — ENISA
- NIS2 Directive FAQs — European Commission
- NIS2 Requirements Overview
- NIS2 Requirements: A Complete Guide — DataGuard
Related
Questions about NIS2 and your email infrastructure? We're not lawyers, but we're happy to discuss the technical aspects. Get in touch.